[Debian-pan-maintainers] Bug#1082871: Bug#1082871: jupyterlab: CVE-2024-43805
Yadd
yadd at debian.org
Tue Nov 19 17:17:24 GMT 2024
On 11/19/24 17:38, Yadd wrote:
> On 11/19/24 17:08, Sylvain Beucler wrote:
>> Hi,
>>
>> I'm part of the Debian LTS Team and I'm trying to identify the fix.
>>
>> Checking 4.2.5 and 3.6.8 history:
>> https://github.com/jupyterlab/jupyterlab/commits/4.2.x/
>> https://github.com/jupyterlab/jupyterlab/commits/3.6.x/
>>
>> the only common commit appears to be the mysterious
>> "Merge commit from fork" :
>> https://github.com/jupyterlab/jupyterlab/
>> commit/88e24baac551196f9cb3de16bd060a7ab1597674
>> https://github.com/jupyterlab/jupyterlab/
>> commit/06ad9de836f155add7d3d651ef936cc4c5ea8093
>>
>> which does seem related to HTML filtering and DOM clobbering.
>>
>> Do you concur?
>>
>> Cheers!
>> Sylvain Beucler
>> Debian LTS Team
>
> Hi,
>
> yes I didn't find a better list. However, marking the CVE as fixed just
> using the mysterious commits make me doubt...
Anyway there is only 2 other commits between 4.2.4 and 4.2.5 which are
not related to the CVE. So I propose to consider that this commit fixes
the CVE.
Pushed into (new) CVE-2024-43805 branch, can someone test it ?
More information about the Debian-pan-maintainers
mailing list